Security Bulletin — How Avi is Addressing Meltdown and Spectre

Summary

In the last few weeks we have read thorough discussions around Meltdown and Spectre, the critical vulnerabilities in modern processors. Malicious users can exploit these vulnerabilities to steal sensitive data stored in the memory of the programs.

Avi Networks has analyzed the impact of these vulnerabilities across the broad range of infrastructure configurations and evaluated each of these setups against the underlying risks and has provided recommended actions below.

Avi has also conducted performance testing. Based on the testing so far, the impact of the patches on the overall system performance is insignificant.

Details

Is Avi Vantage impacted?

  • When run as a virtual machine, Avi Vantage software (Controller and Service Engines) runs on Linux, and hence Avi needs to update the kernel for SE and Controller images to include the kernel patches released by the Linux community. Please see below for release timelines.
  • Avi Vantage running in a container or bare metal environment is not impacted by the security vulnerability, though the underlying host operating system may need to be patched based on your host operating system vendor’s recommendations.
  • In environments where Avi Vantage supports DPDK, it needs to be interoperable with the kernel loadable module (KLM) of the underlying host and so it may require an update to support the patched host OS.
  • For more details on the actions needed for various environments and the availability of the patch, please refer to the table below.

Impact and Actions

Meltdown and Spectre Impact and Actions
* For Kernel Loadable Module (KLM) interoperability with patched host OS
** For Meltdown and Spectre patches, which are included in Avi Vantage 17.2.6.

What is the impact of not upgrading Avi Vantage virtualized or public cloud environment?

As with any other network infrastructure component, Avi Vantage should always be set up with the appropriate authorization controls set up so only trusted users can log into the platform. The impact of these vulnerabilities in a real world environment can be mitigated significantly if appropriate access controls have been set up for both Controller and Service Engines.

When will the patches for Avi Vantage be available?

The patches for 16.5 and 17.1 releases will be available by early February 2018. The patch for 17.2 is present in the 17.2.6 release.

Resources